From 7fa298e7312037391c96d7f910de84b10e48ddb6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?V=C3=A1clav=20Barto=C5=A1?= <bartos@cesnet.cz>
Date: Thu, 2 Feb 2023 21:49:42 +0100
Subject: [PATCH] Changed the character set of generated passwords

Passwords which may be passed via HTTP basic auth (as "<username>:<password>") shouldn't contain a colon. Although it should work according to corresponding RFC, a colon in password causes problems in some servers (Cortex at minimum).
Therefore, we only allow letters and numbers in most of the automatically generated passwords.
---
 roles/ca/tasks/main.yml                             | 6 +++---
 roles/cortex/tasks/configure.yml                    | 2 +-
 roles/cortex/templates/admin.json                   | 2 +-
 roles/cortex/templates/application.conf.j2          | 4 ++--
 roles/haproxy/templates/haproxy.cfg.j2              | 6 +++---
 roles/keycloak/tasks/init.yml                       | 2 +-
 roles/keycloak/templates/initkeycloakrealm.sh.j2    | 4 ++--
 roles/misp/tasks/config.yml                         | 2 +-
 roles/nifi/templates/flow.xml.j2                    | 2 +-
 roles/opensearch-dashboards/files/env.js.j2         | 2 +-
 roles/opensearch-dashboards/tasks/init.yml          | 6 +++---
 roles/opensearch-dashboards/tasks/start.yml         | 2 +-
 roles/opensearch-dashboards/tasks/update-config.yml | 2 +-
 roles/opensearches/tasks/init.yml                   | 6 +++---
 roles/thehive/tasks/createusers.yml                 | 2 +-
 roles/thehive/tasks/kibanauser.yml                  | 4 ++--
 roles/thehive/tasks/organization.yml                | 2 +-
 roles/thehive/templates/adminpass.json              | 2 +-
 roles/thehive/templates/application.conf.j2         | 2 +-
 utils/flow2template.py                              | 2 +-
 20 files changed, 31 insertions(+), 31 deletions(-)

diff --git a/roles/ca/tasks/main.yml b/roles/ca/tasks/main.yml
index bc7bcfc..fecf37e 100644
--- a/roles/ca/tasks/main.yml
+++ b/roles/ca/tasks/main.yml
@@ -138,7 +138,7 @@
   expect:
     command: roles/ca/files/easyrsa/easyrsa export-p12 "{{item.CN}}"
     responses:
-      Enter Export Password: "{{lookup('password', '{{playbook_dir}}/secrets/passwords/{{item.CN}}')}}"
+      Enter Export Password: "{{lookup('password', '{{playbook_dir}}/secrets/passwords/{{item.CN}} chars=ascii_letters,digits')}}"
   with_items:
     - "{{USER_MGMT_ADMIN_USER}}"
     - "{{soctools_users}}"
@@ -157,7 +157,7 @@
 #  expect:
 #    command: openssl pkcs12 -in "{{playbook_dir}}/secrets/CA/private/{{item.CN}}.p12" -out "{{playbook_dir}}/secrets/CA/private/{{item.CN}}.crt.pem" -clcerts -nokeys
 #    responses:
-#      Enter Import Password: "{{lookup('password', '{{playbook_dir}}/secrets/passwords/{{item.CN}}')}}"
+#      Enter Import Password: "{{lookup('password', '{{playbook_dir}}/secrets/passwords/{{item.CN}} chars=ascii_letters,digits')}}"
 #  with_items:
 #    - "{{USER_MGMT_ADMIN_USER}}"
 
@@ -165,6 +165,6 @@
 #  expect:
 #    command: openssl pkcs12 -in "{{playbook_dir}}/secrets/CA/private/{{item.CN}}.p12" -out "{{playbook_dir}}/secrets/CA/private/{{item.CN}}.key.pem" -nocerts -nodes
 #    responses:
-#      Enter Import Password: "{{lookup('password', '{{playbook_dir}}/secrets/passwords/{{item.CN}}')}}"
+#      Enter Import Password: "{{lookup('password', '{{playbook_dir}}/secrets/passwords/{{item.CN}} chars=ascii_letters,digits')}}"
 #  with_items:
 #    - "{{USER_MGMT_ADMIN_USER}}"
diff --git a/roles/cortex/tasks/configure.yml b/roles/cortex/tasks/configure.yml
index a02b3a2..7ebfbf7 100644
--- a/roles/cortex/tasks/configure.yml
+++ b/roles/cortex/tasks/configure.yml
@@ -36,7 +36,7 @@
 
 - name: generate api key for admin user
   remote_user: root
-  shell: "curl -XPOST -u 'admin:{{lookup('password', '{{playbook_dir}}/secrets/passwords/cortex_adminpass')}}' 'http://127.0.0.1:9001/api/user/admin/key/renew'"
+  shell: "curl -XPOST -u 'admin:{{lookup('password', '{{playbook_dir}}/secrets/passwords/cortex_adminpass chars=ascii_letters,digits')}}' 'http://127.0.0.1:9001/api/user/admin/key/renew'"
   run_once: True
   register: cortexadminuserkey
   args:
diff --git a/roles/cortex/templates/admin.json b/roles/cortex/templates/admin.json
index 4eb4b06..d5ee877 100644
--- a/roles/cortex/templates/admin.json
+++ b/roles/cortex/templates/admin.json
@@ -1 +1 @@
-{"login":"admin","name":"Admin","password":"{{lookup('password', '{{playbook_dir}}/secrets/passwords/cortex_adminpass')}}","roles":["superadmin"],"organization":"cortex"}
+{"login":"admin","name":"Admin","password":"{{lookup('password', '{{playbook_dir}}/secrets/passwords/cortex_adminpass chars=ascii_letters,digits')}}","roles":["superadmin"],"organization":"cortex"}
diff --git a/roles/cortex/templates/application.conf.j2 b/roles/cortex/templates/application.conf.j2
index 88f5333..77c3d53 100644
--- a/roles/cortex/templates/application.conf.j2
+++ b/roles/cortex/templates/application.conf.j2
@@ -6,7 +6,7 @@
 #
 # IMPORTANT: If you deploy your application to several  instances,  make
 # sure to use the same key.
-play.http.secret.key="{{lookup('password', '{{playbook_dir}}/secrets/passwords/cortex_secret_key')}}"
+play.http.secret.key="{{lookup('password', '{{playbook_dir}}/secrets/passwords/cortex_secret_key chars=ascii_letters,digits')}}"
 
 ## ElasticSearch
 search {
@@ -34,7 +34,7 @@ search {
 
 ##   ## Authentication configuration
 ##   search.username = "cortex"
-##   search.password = "{{lookup('password', '{{playbook_dir}}/secrets/passwords/cortex_odfe')}}"
+##   search.password = "{{lookup('password', '{{playbook_dir}}/secrets/passwords/cortex_odfe chars=ascii_letters,digits')}}"
 ##
 ##   ## SSL configuration
 ##   search.keyStore {
diff --git a/roles/haproxy/templates/haproxy.cfg.j2 b/roles/haproxy/templates/haproxy.cfg.j2
index 3e3502f..c6dd7a5 100644
--- a/roles/haproxy/templates/haproxy.cfg.j2
+++ b/roles/haproxy/templates/haproxy.cfg.j2
@@ -17,8 +17,8 @@ defaults
   timeout server  20s
 
 userlist mycredentials
-   user {{soctools_users[0].username}} insecure-password {{lookup('password', '{{playbook_dir}}/secrets/passwords/{{soctools_users[0].username}}')}}
-   user {{soctools_users[0].email}} insecure-password {{lookup('password', '{{playbook_dir}}/secrets/passwords/{{soctools_users[0].username}}')}}
+   user {{soctools_users[0].username}} insecure-password {{lookup('password', '{{playbook_dir}}/secrets/passwords/{{soctools_users[0].username}} chars=ascii_letters,digits')}}
+   user {{soctools_users[0].email}} insecure-password {{lookup('password', '{{playbook_dir}}/secrets/passwords/{{soctools_users[0].username}} chars=ascii_letters,digits')}}
 
 listen stats
         bind 0.0.0.0:8888 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
@@ -26,7 +26,7 @@ listen stats
         stats hide-version
         stats uri     /
         stats realm   HAProxy Statistics
-        stats auth    haproxy:{{lookup('password', '{{playbook_dir}}/secrets/passwords/haproxy_stats')}}
+        stats auth    haproxy:{{lookup('password', '{{playbook_dir}}/secrets/passwords/haproxy_stats chars=ascii_letters,digits')}}
 	tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/stats_whitelist.lst }
 
 listen nifiserv
diff --git a/roles/keycloak/tasks/init.yml b/roles/keycloak/tasks/init.yml
index 59c0655..99b902d 100644
--- a/roles/keycloak/tasks/init.yml
+++ b/roles/keycloak/tasks/init.yml
@@ -28,7 +28,7 @@
 
 - name: Set admin password
   remote_user: jboss
-  command: /opt/jboss/keycloak/bin/add-user-keycloak.sh --user "admin" --password "{{lookup('password', '{{playbook_dir}}/secrets/passwords/keycloak_admin')}}"
+  command: /opt/jboss/keycloak/bin/add-user-keycloak.sh --user "admin" --password "{{lookup('password', '{{playbook_dir}}/secrets/passwords/keycloak_admin chars=ascii_letters,digits')}}"
   ignore_errors: True
 
 - name: Configure logging format
diff --git a/roles/keycloak/templates/initkeycloakrealm.sh.j2 b/roles/keycloak/templates/initkeycloakrealm.sh.j2
index 7d35f8e..b18bd77 100644
--- a/roles/keycloak/templates/initkeycloakrealm.sh.j2
+++ b/roles/keycloak/templates/initkeycloakrealm.sh.j2
@@ -6,7 +6,7 @@ exec > /opt/jboss/keycloak/initkeycloak.log 2>&1
 
 
 kcadm.sh config truststore --trustpass {{lookup('password', '{{playbook_dir}}/secrets/passwords/truststore')}} /opt/jboss/keycloak/cacerts.jks
-kcadm.sh config credentials --server https://{{groups['keycloakcontainers'][0]}}:8443/auth --realm master --user admin --password "{{lookup('password', '{{playbook_dir}}/secrets/passwords/keycloak_admin')}}"
+kcadm.sh config credentials --server https://{{groups['keycloakcontainers'][0]}}:8443/auth --realm master --user admin --password "{{lookup('password', '{{playbook_dir}}/secrets/passwords/keycloak_admin chars=ascii_letters,digits')}}"
 kcadm.sh create realms -b '{ "enabled": "true", "id": "{{openid_realm}}", "realm": "{{openid_realm}}"}'
 kcadm.sh create realms/{{openid_realm}}/authentication/flows/browser/copy -b '{ "id": "browser-x509", "newName": "X.509 Browser" }'
 BROWSERFORM=$(kcadm.sh create realms/{{openid_realm}}/authentication/flows/X.509%20Browser/executions/execution -i -b '{ "provider": "auth-x509-client-username-form" }')
@@ -19,7 +19,7 @@ kcadm.sh create realms/{{openid_realm}}/groups -b '{"name":"GN43WP8T31"}'
 kcadm.sh create realms/{{openid_realm}}/users -b '{"enabled":true,"attributes":{"DN": ["{{USER_MGMT_ADMIN_USER.DN}}"],"CN": ["{{USER_MGMT_ADMIN_USER.CN}}"]},"username":"{{USER_MGMT_ADMIN_USER.username}}","groups": ["/GN43WP8T31"] }'
 {% for user in soctools_users %}
 kcadm.sh create realms/{{openid_realm}}/users -b '{"enabled":true,"attributes":{"DN": ["{{user.DN}}"],"CN": ["{{user.CN}}"]},"username":"{{user.username}}","emailVerified":"","email":"{{user.email}}","firstName":"{{user.firstname}}","lastName":"{{user.lastname}}","groups": ["/GN43WP8T31"] }'
-kcadm.sh set-password -r {{openid_realm}} --username {{user.username}} --new-password {{lookup('password', '{{playbook_dir}}/secrets/passwords/'+user.CN)}}
+kcadm.sh set-password -r {{openid_realm}} --username {{user.username}} --new-password {{lookup('password', '{{playbook_dir}}/secrets/passwords/'+user.CN+' chars=ascii_letters,digits')}}
 {% endfor %}
 
 NIFICLIENT=$(kcadm.sh create realms/{{openid_realm}}/clients -i -b '{"enabled":true, "clientId":"soctools-nifi","protocol":"openid-connect","clientAuthenticatorType": "client-secret","redirectUris": ["https://{{soctoolsproxy}}:9443/*" ],"webOrigins": [], "publicClient": false }')
diff --git a/roles/misp/tasks/config.yml b/roles/misp/tasks/config.yml
index cb05220..fbe4872 100644
--- a/roles/misp/tasks/config.yml
+++ b/roles/misp/tasks/config.yml
@@ -1,7 +1,7 @@
 ---
 
 - name: Change password of default user
-  shell: "/var/www/MISP/app/Console/cake Password admin@admin.test {{ lookup('password', '{{playbook_dir}}/secrets/passwords/misp_admin') }}"
+  shell: "/var/www/MISP/app/Console/cake Password admin@admin.test {{ lookup('password', '{{playbook_dir}}/secrets/passwords/misp_admin chars=ascii_letters,digits') }}"
 
 - name: Configure MISP
   shell: '/var/www/MISP/app/Console/cake Admin setSetting {{item.var}} {{item.value}}'
diff --git a/roles/nifi/templates/flow.xml.j2 b/roles/nifi/templates/flow.xml.j2
index dcc40b5..739c762 100644
--- a/roles/nifi/templates/flow.xml.j2
+++ b/roles/nifi/templates/flow.xml.j2
@@ -12619,7 +12619,7 @@
     <variable name="elastic_username" value="{{ elastic_username }}" />
     <variable name="misp_url" value="{{ misp_url }}" />
     <variable name="elastic_urls" value="https://soctools-opensearch-1:9200/,https://soctools-opensearch-2:9200/" />
-    <variable name="elastic_password" value="{{lookup('password', '{{playbook_dir}}/secrets/passwords/opensearches_adminpass')}}" />
+    <variable name="elastic_password" value="{{lookup('password', '{{playbook_dir}}/secrets/passwords/opensearches_adminpass chars=ascii_letters,digits')}}" />
   </rootGroup>
   <controllerServices />
   <reportingTasks />
diff --git a/roles/opensearch-dashboards/files/env.js.j2 b/roles/opensearch-dashboards/files/env.js.j2
index e1adb4b..d4f495f 100644
--- a/roles/opensearch-dashboards/files/env.js.j2
+++ b/roles/opensearch-dashboards/files/env.js.j2
@@ -1,4 +1,4 @@
 // Default plugin configuration
 export const THEHIVE_URL = 'https://{{soctoolsproxy}}:9000';
-export const THEHIVE_API_KEY = '{{lookup('password', '{{playbook_dir}}/secrets/tokens/thehive_kibana_secret_key')}}';
+export const THEHIVE_API_KEY = '{{lookup('password', '{{playbook_dir}}/secrets/tokens/thehive_kibana_secret_key chars=ascii_letters,digits')}}';
 export const THEHIVE_OWNER = '{{THEHIVE_KIBANA_USER.username}}'; // default owner account of the created cases
diff --git a/roles/opensearch-dashboards/tasks/init.yml b/roles/opensearch-dashboards/tasks/init.yml
index 8416ad6..675f9f8 100644
--- a/roles/opensearch-dashboards/tasks/init.yml
+++ b/roles/opensearch-dashboards/tasks/init.yml
@@ -78,7 +78,7 @@
 - name: Check Opensearch Dashboards health
   remote_user: dashboards
   shell: 'curl -k -b /tmp/cookie.txt -c /tmp/cookie.txt -X "GET" "https://{{soctoolsproxy}}:5601/api/status" \
-          --user admin:{{lookup("password", "{{playbook_dir}}/secrets/passwords/opensearches_adminpass")}} \
+          --user admin:{{lookup("password", "{{playbook_dir}}/secrets/passwords/opensearches_adminpass chars=ascii_letters,digits")}} \
               | egrep "status....overall....since...[0-9]{4}-[0-9]{1,2}-[0-9]{1,2}T[0-9]{1,2}:[0-9]{1,2}.[0-9]{1,2}.[0-9]{3}Z...state...green"'
   register: result
   until: result.rc == 0
@@ -96,7 +96,7 @@
   remote_user: dashboards
   shell: 'curl -X "POST" "https://{{soctoolsproxy}}:5601/api/saved_objects/_import?overwrite=true" \
           -b /tmp/cookie.txt -c /tmp/cookie.txt \
-          -k --user admin:{{lookup("password", "{{playbook_dir}}/secrets/passwords/opensearches_adminpass")}} \
+          -k --user admin:{{lookup("password", "{{playbook_dir}}/secrets/passwords/opensearches_adminpass chars=ascii_letters,digits")}} \
           -H "osd-xsrf: reporting" -H "Content-Type: multipart/form-data" \
           -F "file=@/tmp/opensearch-dashboards_graphs.ndjson"'
   ignore_errors: True
@@ -111,7 +111,7 @@
   remote_user: dashboards
   shell: 'curl -X "POST" "https://{{soctoolsproxy}}:5601/api/v1/configuration/rolesmapping/all_access" \
           -b /tmp/cookie.txt -c /tmp/cookie.txt \
-          -k --user admin:{{lookup("password", "{{playbook_dir}}/secrets/passwords/opensearches_adminpass")}} \
+          -k --user admin:{{lookup("password", "{{playbook_dir}}/secrets/passwords/opensearches_adminpass chars=ascii_letters,digits")}} \
           -H "osd-xsrf: reporting" -H "Content-Type: application/json" \
           -d @/tmp/role.json'
 
diff --git a/roles/opensearch-dashboards/tasks/start.yml b/roles/opensearch-dashboards/tasks/start.yml
index ea222f8..04b8274 100644
--- a/roles/opensearch-dashboards/tasks/start.yml
+++ b/roles/opensearch-dashboards/tasks/start.yml
@@ -15,7 +15,7 @@
 - name: Check Opensearch Dashboards health
   remote_user: dashboards
   shell: 'curl -k -b /tmp/cookie.txt -c /tmp/cookie.txt -X "GET" "https://{{soctoolsproxy}}:5601/api/status" \
-          --user admin:{{lookup("password", "{{playbook_dir}}/secrets/passwords/opensearches_adminpass")}} \
+          --user admin:{{lookup("password", "{{playbook_dir}}/secrets/passwords/opensearches_adminpass chars=ascii_letters,digits")}} \
               | egrep "status....overall....since...[0-9]{4}-[0-9]{1,2}-[0-9]{1,2}T[0-9]{1,2}:[0-9]{1,2}.[0-9]{1,2}.[0-9]{3}Z...state...green"'
   register: result
   until: result.rc == 0
diff --git a/roles/opensearch-dashboards/tasks/update-config.yml b/roles/opensearch-dashboards/tasks/update-config.yml
index f7d6498..fe83ae8 100644
--- a/roles/opensearch-dashboards/tasks/update-config.yml
+++ b/roles/opensearch-dashboards/tasks/update-config.yml
@@ -30,7 +30,7 @@
   remote_user: dashboards
   shell: 'curl -X "POST" "https://{{soctoolsproxy}}:5601/api/saved_objects/_import?overwrite=true" \
           -b /tmp/cookie.txt -c /tmp/cookie.txt \
-          -k --user admin:{{lookup("password", "{{playbook_dir}}/secrets/passwords/opensearches_adminpass")}} \
+          -k --user admin:{{lookup("password", "{{playbook_dir}}/secrets/passwords/opensearches_adminpass chars=ascii_letters,digits")}} \
           -H "osd-xsrf: reporting" -H "Content-Type: multipart/form-data" \
           -F "file=@/tmp/opensearch-dashboards_graphs.ndjson"'
   ignore_errors: True
diff --git a/roles/opensearches/tasks/init.yml b/roles/opensearches/tasks/init.yml
index 0337287..faa9696 100644
--- a/roles/opensearches/tasks/init.yml
+++ b/roles/opensearches/tasks/init.yml
@@ -37,7 +37,7 @@
 
 - name: Change password for admin
   remote_user: opensearch
-  shell: export OPENSEARCH_JAVA_HOME=/opt/opensearch/jdk; bash plugins/opensearch-security/tools/hash.sh -p {{lookup('password', '{{playbook_dir}}/secrets/passwords/opensearches_adminpass')}} | tail -n 1
+  shell: export OPENSEARCH_JAVA_HOME=/opt/opensearch/jdk; bash plugins/opensearch-security/tools/hash.sh -p {{lookup('password', '{{playbook_dir}}/secrets/passwords/opensearches_adminpass chars=ascii_letters,digits')}} | tail -n 1
   register: adminhash
 
 - set_fact:
@@ -46,7 +46,7 @@
 
 - name: Change password for cortex
   remote_user: opensearch
-  shell: export OPENSEARCH_JAVA_HOME=/opt/opensearch/jdk; bash plugins/opensearch-security/tools/hash.sh -p {{lookup('password', '{{playbook_dir}}/secrets/passwords/cortex_opensearch')}} | tail -n 1
+  shell: export OPENSEARCH_JAVA_HOME=/opt/opensearch/jdk; bash plugins/opensearch-security/tools/hash.sh -p {{lookup('password', '{{playbook_dir}}/secrets/passwords/cortex_opensearch chars=ascii_letters,digits')}} | tail -n 1
   register: cortexhash
 
 - set_fact:
@@ -77,7 +77,7 @@
 
 - name: Configure Opensearch security
   remote_user: opensearch
-  shell: "export OPENSEARCH_JAVA_HOME=/opt/opensearch/jdk; bash ./plugins/opensearch-security/tools/securityadmin.sh -h {{groups['opensearchescontainers'][0]}} -cd /opt/opensearch/config/opensearch-security/ -ks '/opt/opensearch/config/{{soctools_users[0].CN}}.p12' -kspass {{lookup('password', '{{playbook_dir}}/secrets/passwords/{{soctools_users[0].CN}}')}} {{lookup('password','{{playbook_dir}}/secrets/passwords/{{soctools_users[0].CN}}')}} -ts /opt/opensearch/config/cacerts.jks -tspass {{lookup('password', '{{playbook_dir}}/secrets/passwords/truststore')}} -cn soctools-cluster"
+  shell: "export OPENSEARCH_JAVA_HOME=/opt/opensearch/jdk; bash ./plugins/opensearch-security/tools/securityadmin.sh -h {{groups['opensearchescontainers'][0]}} -cd /opt/opensearch/config/opensearch-security/ -ks '/opt/opensearch/config/{{soctools_users[0].CN}}.p12' -kspass {{lookup('password', '{{playbook_dir}}/secrets/passwords/{{soctools_users[0].CN}} chars=ascii_letters,digits')}} {{lookup('password','{{playbook_dir}}/secrets/passwords/{{soctools_users[0].CN}} chars=ascii_letters,digits')}} -ts /opt/opensearch/config/cacerts.jks -tspass {{lookup('password', '{{playbook_dir}}/secrets/passwords/truststore')}} -cn soctools-cluster"
   when: "'{{groups['opensearchescontainers'][0]}}' in inventory_hostname"
 
 - name: Set Autostart for supervisord's services
diff --git a/roles/thehive/tasks/createusers.yml b/roles/thehive/tasks/createusers.yml
index 9179cc5..8a97472 100644
--- a/roles/thehive/tasks/createusers.yml
+++ b/roles/thehive/tasks/createusers.yml
@@ -10,7 +10,7 @@
 
 - name: create users
   remote_user: root
-  shell: "curl -H 'Authorization: Bearer {{lookup('password', '{{playbook_dir}}/secrets/tokens/thehive_secret_key')}}' -H 'Content-Type: application/json' http://127.0.0.1:9000/api/user -d @/tmp/{{ item.username}}.json"
+  shell: "curl -H 'Authorization: Bearer {{lookup('password', '{{playbook_dir}}/secrets/tokens/thehive_secret_key chars=ascii_letters,digits')}}' -H 'Content-Type: application/json' http://127.0.0.1:9000/api/user -d @/tmp/{{ item.username}}.json"
   args:
     warn: false
   with_items:
diff --git a/roles/thehive/tasks/kibanauser.yml b/roles/thehive/tasks/kibanauser.yml
index d4b44b0..0041a5d 100644
--- a/roles/thehive/tasks/kibanauser.yml
+++ b/roles/thehive/tasks/kibanauser.yml
@@ -8,7 +8,7 @@
 
 - name: create kibana user
   remote_user: root
-  shell: "curl -H 'Authorization: Bearer {{lookup('password', '{{playbook_dir}}/secrets/tokens/thehive_secret_key')}}' -H 'Content-Type: application/json' http://127.0.0.1:9000/api/user -d @/tmp/kibanauser.json | cut -d\\\" -f4"
+  shell: "curl -H 'Authorization: Bearer {{lookup('password', '{{playbook_dir}}/secrets/tokens/thehive_secret_key chars=ascii_letters,digits')}}' -H 'Content-Type: application/json' http://127.0.0.1:9000/api/user -d @/tmp/kibanauser.json | cut -d\\\" -f4"
   register: kibanauser
   args:
     warn: false
@@ -18,7 +18,7 @@
 
 - name: create API key for kibana user
   remote_user: root
-  shell: "curl -XPOST -H 'Authorization: Bearer {{lookup('password', '{{playbook_dir}}/secrets/tokens/thehive_secret_key')}}' -H 'Content-Type: application/json' http://127.0.0.1:9000/api/v1/user/{{kibanauser.stdout}}/key/renew 2> /dev/null | tee /tmp/kibanaapikey"
+  shell: "curl -XPOST -H 'Authorization: Bearer {{lookup('password', '{{playbook_dir}}/secrets/tokens/thehive_secret_key chars=ascii_letters,digits')}}' -H 'Content-Type: application/json' http://127.0.0.1:9000/api/v1/user/{{kibanauser.stdout}}/key/renew 2> /dev/null | tee /tmp/kibanaapikey"
   register: kibanaapikey
   args:
     warn: false
diff --git a/roles/thehive/tasks/organization.yml b/roles/thehive/tasks/organization.yml
index 4477ab3..b3f03de 100644
--- a/roles/thehive/tasks/organization.yml
+++ b/roles/thehive/tasks/organization.yml
@@ -5,7 +5,7 @@
     url: "http://127.0.0.1:9000/api/organisation"
     method: POST
     headers:
-      Authorization: "Bearer {{lookup('password', '{{playbook_dir}}/secrets/tokens/thehive_secret_key')}}"
+      Authorization: "Bearer {{lookup('password', '{{playbook_dir}}/secrets/tokens/thehive_secret_key chars=ascii_letters,digits')}}"
     body_format: form-urlencoded
     body:
       name: "{{ org_name }}"
diff --git a/roles/thehive/templates/adminpass.json b/roles/thehive/templates/adminpass.json
index 96292db..373d30c 100644
--- a/roles/thehive/templates/adminpass.json
+++ b/roles/thehive/templates/adminpass.json
@@ -1 +1 @@
-{"password":"{{lookup('password', '{{playbook_dir}}/secrets/passwords/thehive_adminpass')}}"}
+{"password":"{{lookup('password', '{{playbook_dir}}/secrets/passwords/thehive_adminpass chars=ascii_letters,digits')}}"}
diff --git a/roles/thehive/templates/application.conf.j2 b/roles/thehive/templates/application.conf.j2
index b9f0782..b2f39d6 100644
--- a/roles/thehive/templates/application.conf.j2
+++ b/roles/thehive/templates/application.conf.j2
@@ -5,7 +5,7 @@
 ## Include Play secret key
 # More information on secret key at https://www.playframework.com/documentation/2.8.x/ApplicationSecret
 #include "/etc/thehive/secret.conf"
-play.http.secret.key="{{lookup('password', '{{playbook_dir}}/secrets/tokens/thehive_secret_key')}}"
+play.http.secret.key="{{lookup('password', '{{playbook_dir}}/secrets/tokens/thehive_secret_key chars=ascii_letters,digits')}}"
 
 ## Database configuration
 db.janusgraph {
diff --git a/utils/flow2template.py b/utils/flow2template.py
index 3a6f1fe..a24912d 100755
--- a/utils/flow2template.py
+++ b/utils/flow2template.py
@@ -23,7 +23,7 @@ for v in et.findall(".//variable"):
     elif a['name']=="elastic_username":
         a['value']="{{ elastic_username }}"
     elif a['name']=="elastic_password":
-        a['value']="{{lookup('password', '{{playbook_dir}}/secrets/passwords/opensearches_adminpass')}}"
+        a['value']="{{lookup('password', '{{playbook_dir}}/secrets/passwords/opensearches_adminpass chars=ascii_letters,digits')}}"
 
 for v in et.findall(".//controllerService[name='Soctools CA']/property[name='Truststore Password']/value"):
     v.text="{{lookup('password', '{{playbook_dir}}/secrets/passwords/truststore')}}"
-- 
GitLab